Like hundreds of thousands of others, our prime ministers and diplomats are hacked on their phones. Can anything be done to stop it?
An opinion article by Rufo Guerreschi, the director of the Trustless Computing Association, appeared on Le Temps, Geneva leading daily newspaper. It appeared in two version: a 1,000-words version (here is a pdf) that covered most of page two and a 3,000-words version, with many links and reference, for their digital version (a pdf export, as it is behind a paywall).
Unless you read French, read below the original English version of the longer digital version:
Last November we learned that the then UK foreign minister Liz Truss was spied on for months on her mobile communications with colleagues, friends and foreign diplomats. A few days later, the president and foreign minister of Switzerland Ignazio Cassis, and 100 other top officials, were revealed to have been victims of hacking-for-hire by Indian hacker gangs, via UK legal firms.
They are in good company. Last year alone, the sitting prime ministers of Spain and of Finland, the head of opposition of Greece and of Poland, the son of the new prime minister of Israel, and the editor of the Financial Times, suffered the same fate.
The scale and possible solutions were summarized in a shocking 150 pages draft report on spyware presented last November by a dedicated EU Parliament committee, whose rapporteur summed it up as “much, much worse than Watergate”.
Earlier last year, the UK Minister of Defense and several EU parliamentarians were fooled by foreign agents impersonating the attorney of a Russian opposition leader. Even the president of the US and his personal associates run similar risks, as detailed in 2017 by the New York Times.
What expectation can we have that all other prime ministers - like Meloni, Macron, Scholtz, or Lula da Silva - their ministers, parliamentarians and/or their close associates are not also continuously hacked on their smartphones? Do they maybe have some better magic protection tools that exceed those that the UK GCHQ can deploy for Ms Truss?
Just as concerning, current smartphones enable users to reliably delete evidence of crimes to evade criminal accountability, as shown by investigations on the US president's secret service detail and leaders of a top swiss bank, while criminals or rogue group in security agencies may have acquired such evidence before its deletion for use in blackmail, or accessed it via hidden features in leading forensic tools like Cellbrite.
As terrible as this is for our democracies, it's just the tip of the iceberg, because victims are most likely in the hundreds of thousands and those at risk in the millions, as we detail below. Nearly everyone with power or money is a target or victim, including nearly all elected officials, diplomats, businessmen, journalists, activists, their organizations, and their close associates inter-governmental organizations.
This state of affairs constitutes a vital threat to our democracies and human rights, and greatly stifles and distorts diplomatic dialogue.
Are our leaders careless? Why don't they use their classified "work" phones?
Sure, our leaders could be more careful using their "work" phones instead of vulnerable smartphones, and they should.
They should assume that any use of their smartphone could result in blackmail, extortion or public shaming as legal or illegal snapshots of their life could be leaked to the media and published out of context or to prosecutors.
But mostly they have no choice, since the overwhelming majority of those they need to speak to about sensitive non-classified matters cannot cannot have those "work" phones, have foreign incompatible ones.
So they are are stuck to communicating via dominant secure messaging apps, like Signal, Telegram, Threema, Matrix or Wire, if they want to function at all - “for the same reasons as the rest of us” as The Economist put it in a recent article.
Most of them know the risks by now, but they still do "for the same reasons as the rest of us", as The Economist wrote last month, following Liz Truss’s hack. “A similar attack on a government-issued phone would have been more difficult. But those phones are cumbersome to use. They come with long passwords that must be entered every time they are picked up; you cannot install apps you need to use without the permission of the IT department; their chat apps tend to be configured with tedious two-factor authentication. And, importantly, the daily chatter with political colleagues is not on that phone. It’s a pain to have two devices”, the British magazine goes on to say.
At the very least, they could and should raise awareness of the risks, instead of formally approving certain secure messaging apps on a smartphone as suitable for classified "confidential", as Switzerland did in 2019 for Threema, after a certification processes that was shown to be extremely inadequate by two Swiss students last week that found in it seven more and less critical vulnerabilities.
They are forced to use hegemonic mobile phones, app stores and apps if they want to function at all in their job or life, while evidently, no protective tools by their security agencies are remotely sufficient.
To make matters even worse, they are forced into extensive self-censorship to try to minimize the risks, with enormous costs to personal and professional efficiency. Also, the difficulty of attributing hacks on today's devices makes it often impossible to know if a leak was due to a hacker or to the victim's interlocutor, as seen in the hack of Finnish Prime Minister Sanna Marin, fostering distrust among associates, and more self-censorship.
Are hackers just too good? Can't those phones be made more secure?
Every year, Apple, top Android phone makers, and cybersecurity protection suite makers, introduce new security improvements. Like a mirage, decent security is never attained.
Why is that? Sure, state and non-state hackers keep significantly increasing their investments. Yet, we can make IT devices that are both reliably secure against the most advanced attackers and accessible to interception only to intended entities - as argued in this detailed academic paper by the Trustless Computing Association, and as shown in practice by Crypto AG, the Swiss-based western standard devices for secure diplomatic communications in the Cold War.
Two are the real root causes. First, hyper-complexity and obscurity are demanded by competition for rich entertainment performance features that are required of top-end smartphones. Second, the unconfessed need to surreptitiously ensure that several powerful nations can hack them at any time to prevent terrorist, enemy or adversary nations.
In addition, carrying an extra device may be acceptable for the most targeted persons but too cumbersome for their many sensitive non-classified interlocutors.
Is the problem limited to a few hundred top officials?
The number of those hacked or at risk is not easy to quantify or even approximate, by design. Security agencies go to great lengths to ensure that a large number of criminals and terrorists over-estimate the security of secure mobile solutions so that they can continue their legitimate interception, while spyware and secure IT companies like Apple play along, for profit reasons. Every once in a while, the FBI pretends to be unable to hack an iPhone as in the San Bernardino case, whereby simple researchers and companies were able to.
But once in a while, some hard verified data comes around. The lawsuit that Facebook has against NSO Group provides details and proofs of 1400 WhatsApp hacked worldwide in the course of just 2 weeks. The NSO Group, just one of a dozen spyware firms in Israel alone, testified last June to the 42-strong PEGA EU Parliament Committee of spyware that over 12,000 citizens each year are hacked via their Pegasus system.
But those numbers (1) do not include dozens of other similar spyware companies that rent or sell to nations and private groups; (2) nor do they include those hacked by security agencies of powerful nations like the US, China and Russia; (3) nor hundreds or thousands of other entities to discover, buy, steal, or just rent access to illegitimately hacking of high-profile users, as shown by Shadow Brokers and Vault 7 scandals, as consequence of the surreptitious way in which powerful nations ensure their "backdoor" access.
Last October Kaspersky declared it had found and “fully deconstructed” the most advanced German and UK spyware, FinFisher, enabling them to fully re-use it. The same could have been done by others. Already ten years ago powerful national security agencies like, and to a lesser extent some semi-private spyware companies, had capabilities to turn targeted endpoint surveillance into a highly scalable enterprise via systems and programs, like the newer versions of the 2008 NSA FoxAcid and NSA Turbine.
Furthermore, a vast majority of these cyber crimes go undiscovered for years, if ever, as they often leave no trace, as outlined above. When discovered, they are nearly always kept secret as both victims and attackers gain from keeping them unreported. Victims are not required to disclose. The hacking of state officials is often classified as state secret.
Apple declared in 2021, the attacks should not worry because exploits: “cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users,the overwhelming majority of our users”. Their use of the term “overwhelming” is compatible with hundreds of thousands of devices hacked, which would amount to 0.01% of the 1.5 billion iPhones out there.
The New York Times reported in 2018 about NSO Group: “Clients could then pay more to target additional users, saving as they spy with bulk discounts: $800,000 for an additional 100 phones.”, which brings the price to €8,000 per target (Though the price is apparently higher nowadays). And that’s for the Rolls-Royce of hacking tools!
From the above, we can therefore estimate that the number of victims are in the many hundreds of thousands every year, while those at risk are in several millions world-wide.
As opposed to what security agencies, smartphone makers and uncritical media want us to believe those most at risk have known the truth for some time now. Pre-Covid surveys by UBS and by Northern Trust found that the 16 million wealthiest persons in the World and family offices regard cybersecurity as their n.2 or their n.1 concern, respectively.
It is nothing short of a public security and democratic emergency, as well as a huge market demand.
Can the solution reside in the ban or regulation of spyware?
The mentioned EU parliamentary committee report on spyware, in line with leading US global human rights organizations, suggests ban, moratorium and regulation of the use, sale and oversight of spyware by member states, but also starkly acknowledged the phoenomenal limitations of the EU to adequately deal with the problem given its natura and EU jurisdictional limits and decision making mechanisms.
A national or EU ban on the use of spyware by duly-authorized security agencies prevents them from being able to intercept the most dangerous criminals and terrorists, while criminals and unregulated nations could continue to spy at will.
The suggested regulation changes are direly needed, and would make a big difference, especially in the actual accountability of a nation's use of spyware towards its citizens and the EU.
But they face the largely unsolvable technical, operational and jurisdictional complexities inherent with advanced spyware - and the complexity and obscurity of secure mobile devices and their forensics - which would make their enforcement largely ineffective.
Furthermore, the EU is deeply and structurally unable to solve this problem alone due to lack of powers and jurisdiction, and its unanimity decision-making mechanisms, as starkly stated by the above mentioned EU Parliament report.
Towards more comprehensive and effective solutions
So, a resolutive solution must inevitably start from somehow ensuring mobile devices are widely accessible for sensitive users that are not merely more resistant to the most sophisticated attacks but radically so. We know how to do that, as mentioned above in regards to Crypto AG, and as proven by our success in nuclear safety and civil aviation.
But then who guarantees and oversees that the best engineering is applied and extremely powerful compromisation attempts are thwarted? How do we ensure wide adoption of such devices in a hegemonic mobile device market? How do we prevent their abuse by criminal, terrorists and adversarial nations? Suitable solutions would need to be both widely-adoptable and globally-trusted by a wide majority of sensitive persons all around the world, and reliably enable only legitimate lawful access, national and international.
To be widely-adoptable, it must be convenient and cheap enough to be adopted by a large majority of the typical interlocutors of our elected officials and other vulnerable persons.
Sure, we'd love to solve it with an open-source secure messaging app that everyone can review, but it can only be as secure as the device they run on. An external hardware solution would only protect from some of the hardware vulnerabilities.
So the answer must be an additional standalone hardware device. But everyone is weary of carrying an extra device.
Fortunately, the same miniaturization today that enables foldable phones could enable an ultra-thin minimalistic but ultra-secure device to be embedded face-out in the back of any smartphone or carried face-out in custom leather wallets, for those that prefer that.
To be globally-trusted, all critical technical and process of the solution and its use should be openly inspectable, and minimal enough to be sufficiently inspectable.
Given that the utmost security cannot be verified "after the sausage is made", any technical and human components, including every coder, architect, critical tech provider, chip fabrication, and user training, should be subject to full transparency, and extremely trustworthy oversight.
Design quality and oversight should be assured by some international body, whose governance quality can be assessed by moderately educated and informed citizens, just as in properly designed democratic election processes and procedures.
It could involve a mix of globally-diverse nations, IGOs and NGOs, randomly-sampled world citizens, and proven "ethical" experts.
To enable legitimate lawful access nationally and internationally, while sufficiently reducing the risk of its abuse, is something that highly influential US-based libertarian privacy activists and security experts have argued in several detailed papers cannot be done. There are instead solid practical precedents and scientific arguments that a secure-enough procedural “front-door” mechanism overseen by a global trustworthy third party, involving ultra-secure minimized IT systems.
That was proven in practice by Crypto AG, the Swiss-based western standard devices for secure diplomatic communications in the Cold War - that was revealed to have been be owned and systematically intercepted by the CIA and its German equivalent - and argued in theory in a paper that the author published in 2018, Position Paper: Case for a Trustless Computing Certification Body - contradicting highly-influential detailed analysis by a group of US libertarian IT security experts about the impossibility, in all cases, of a secure-enough "front-door” mechanism.
Both point to the fact that there may is a distinct possibility it could work by applying the same extreme technical and organizational safeguards, and checks and balances, to both an ultra-secure IT system and "in-person" procedural lawful access mechanisms - including via authorization by several randomly-selected citizens for national ones, and an international judicial board for international ones - both accountable to an highly trustworthy and resilient international certification body.
While recognizing that adding a “front-door” access would inevitably add some additional potential vulnerability, we conclude that such an approach has a good chance to overall radically or at least substantially reduce the privacy risk in respect to any other alternative secure IT system available today, or knowingly in development, which does not offer such ”front-door”.
What would a solution overall look like?
A much more definitive solution could entail a small set of globally-diverse nations, NGOs and IGOs that join together to create (1) an open inter-governmental certification body to guarantee both the utmost security and safe "in-person" legitimate lawful access, as well as (2) a new product class in the form of minimalist ultra-thin mobile devices, compliant with such a body, to be embedded face-out in the back of any Android, Harmony and iOS smartphone, or carried in custom leather wallets, for all sensitive computing of prime ministers and all citizens. The project would rely on a redundant set of critical tech providers across participating nations, and open source technologies to mitigate supply chain disruption or compromisations.
A number of EU and non-EU nations recognizing the “institutional” impossibility of the EU and UN to take on such an initiative, could take matters in their own hands building such open technical solutions and inter-governmental institutions that can ensure those requirements are met - leading the way for the EU, other regional intergovernmental organizations and the UN to trail behind.
Successful Precedents
There have been similar successful initiatives, in addition to the mentioned Crypto AG, by Germany and the US. The joint definition and adoption by EU member states of the GSM standards produced two decades of EU mobile leadership. France and Germany joined to build Franco-German ARTE public broadcasting TV channel and more recently shared open standards “secure messaging mobile” platform based on Element/Matrix.
An even more fitting, the highly successful Minitel digital platform created by the French government that by 1988 constituted a whole digital ecosystem with 3 million users, several private and public compatible and compliant terminals (or PCs), thousands of private and public services and apps.
While very successful, the Minitel was replaced over a few years by private PCs based on hegemonic US operating systems, due on one side to their better performance and user experience, but also due to larger investment due to global market prospects, globally interoperable app ecosystem and terminal/PCs, and the choice of Minitel to allow its services to run on those new US-made PCs.
Our initiative could be understood as a sort of open, multi-governmental, mobile and ultra-secure version of the Minitel. Unlike the Minitel, it would not initially directly compete with dominant US and Chinese commercial smartphones, but complement them with an adjunct hardware device, in the form of a 2mm-thin standalone mobile device, to be carried inside a custom leather wallet or embedded in the back of smartphones running Android, or maybe Apple iOS and Huawei HarmonyOS.
Such new devices would offer a parallel computing ecosystem that offers substantially or radically unprecedented levels of actual and perceived privacy, integrity and democratic control, that US and Chinese smartphones cannot offer, and that world citizens - initial tens of millions of sensitive users and the all - will likely crave as ever more sophisticated AI, wearables and e-health services will make trustworthiness and privacy the key enabler of new digital services in the next decade..
Would Great Cyber Powers join?
Initial participation by dominant cyber nations like the US, China and Israel as founding governance partners of the TCCB and Seevik Net would be welcome but not required. Also, it would be incentivized via higher temporary influence for the ones that join earlier rather than later.
It may seem that the US and Israel, would not have an interested in maintaining the status quo in the market, because they undoubtedly have an "informational superiority upper hand" in the current model, via their overwhelming control of leading secure devices (e.g. iPhone, Android), spyware (e.g. NSO Group) and endpoint security firms (Crowdstrike, Koolspan, etc).
Due to their control over the leading and globally-hegemonic private IT security firms, the US and Israel have an apparent distinct advantage, via their ability to access better protections, better espionage capabilities, and better espionage countermeasures. Similar powers over the security and insecurity of mobile infrastructure is exercised, increasingly, by China, via its control of nearly all mobile phones except iPhones, and leadership in 5G networks, and increasingly with platforms like WeChat, TikTok and the new mobile operating system Harmony.
Yet, as we argue in a recent blog post, the current model also creates huge collateral damages to their own national security, democracy and to their relationship with allies, so much so that we suspect they'd be open to a better and multilateral solution if one can be conceived and realized.
The current model by which western nations reconcile the need for sensitive non-classified mobile privacy and security with the need for international legitimate lawful access is causing increasingly unacceptable collateral damages in terms of civil freedoms and democratic sovereignty, non only across the World but just as much in the US and Israel, with even parliamentarians and their former prime ministers vulnerable.
The problem has long turned also in a crucial national security threat even in the US and Israel, as it increasingly exposes our leaders, elected officials and journalists to spying and blackmail - by enemies foreign and domestic - and mines the appeal of our democracies to our fellow citizens and towards third nations, whose "hearts and minds" we need to prevail over fast rising appeal authoritarian countries and of authoritarianism.
Vision and Next Steps
By leveraging unique transparency levels - and participating nations' and citizens’ cooperation and oversight at all levels and stages, such new devices and related cloud services will create a parallel cyberspace to the hegemonic USA-Chinese ones that will enable the fair, wise and efficient dialogue that we need to foster the emergence of shared truths, deeper dialogue and coordination among all nations - and to protect and enhance democracy, freedom and safety within liberal and social-democratic societies.
Over time, it will become a kind of personal trust hub that will become essential for the private or sensitive digital lives citizens, such as e-health, political participation, social networking, e-banking, e-government, advanced AI-based services, for strong authentication of laptops, PCs, and cell phones, as well as for citizens’ control and interaction with wearable devices, VR/AR headsets.
Representatives of globally diverse nations and IGOs will discuss such a prospect during the 9th Edition of the Free and Safe in Cyberspace, held for a third time in Geneva, next March 14-15th 2023.
About the author: Rufo Guerreschi is a digital democracy, security and privacy activist, researcher and entrepreneur. He is the founder of the Trustless Computing Association and its spin-in startup TRUSTLESS.AI.